Presentation is loading. Please wait.

Presentation is loading. Please wait.

Akamai Confidential Web targeted DDoS attack: trends, tools and tactics Christiaan Ehlers, Senior Service Consultant – Akamai Technologies.

Published byArchibald Stuart Shepherd Modified over 9 years ago

Similar presentations

Presentation on theme: "Akamai Confidential Web targeted DDoS attack: trends, tools and tactics Christiaan Ehlers, Senior Service Consultant – Akamai Technologies."— Presentation transcript:

1 Akamai Confidential Web targeted DDoS attack: trends, tools and tactics Christiaan Ehlers, Senior Service Consultant – Akamai Technologies

2 Akamai Confidential©2012 Akamai Faster Forward TM Anonymous Attack on the Home Office 7 th April 2012

3 Akamai Confidential©2012 Akamai Faster Forward TM DoS motivation Organized Crime - Profit Political Hackitivism State Sponsored Traditional Hackers: Glory Hounds

4 Akamai Confidential©2012 Akamai Faster Forward TM Let’s Hold up Somebody for Ransom (actual ransom note) Your site www.#####.de will be subjected to DDoS attacks 100 Gbit/s. Pay 100 btc(bitcoin) on the account 1ACFJHoB8Z3KDwDn6XdNTEJb6S7VsQiLZG Do not reply to this email

5 Akamai Confidential©2012 Akamai Faster Forward TM Over 40X Increase in Traffic

6 Akamai Confidential©2012 Akamai Faster Forward TM A very brief introduction DoS attacks have moved up the stack, from IP floods, SYN floods and now to application level attacks. Attacks on the Network and Transport layers targeted the OS of the receiving machine. Attack on the application layer penetrates deeper into the infrastructure. Target not only the firewall or proxy, now we can reach the backend database. Development and architecture is focused on securing against more classical hacking attacks, DoS vulnerability gets a back seat.

7 Akamai Confidential©2012 Akamai Faster Forward TM DoS Vulnerability If the target system spends a disproportionately larger amount of resources in its attempt to serve a response when compared with the amount of resources spent by the attacker in serving the request, you potentially have a DoS vulnerability.

8 Akamai Confidential©2012 Akamai Faster Forward TM Target Areas Bandwidth Inbound (sometimes difficult to exploit, but also difficult to protect) Outbound Data access and processing (CPU, Memory and disk access) Database searches Formatting, regular expressions, encoding, etc… Cryptographic processing System limits Registers, file handles, configured limits, etc… (slow attacks) Algorithmic or architectural inefficiencies

9 Akamai Confidential©2012 Akamai Faster Forward TM Brute Force Attacks Usually aimed at bandwidth and data accessing and processing targets. Attempt to interfere with normal operation by consuming resources through the sending large volumes or requests to targets. Traffic could seem like normal browser traffic. The traffic volume required for an effective attack is determined by the capacity and overhead of the target system.

10 Akamai Confidential©2012 Akamai Faster Forward TM Algorithmic or architectural inefficiencies ApacheKiller Apache prepares an memory space for each requested range in the “Range” header. If enough ranges are requested, it could exhaust the server’s memory Hash Table collision Hash table collision attack turns the problem of adding elements to a hash table from a O(nlogn) problem to a O(n 2 ) problem. Exploitation requires “abnormal” requests, thus fairly easy to identify, block and fix.

11 Akamai Confidential©2012 Akamai Faster Forward TM Attack distribution Single origin DoS attack -Less resources available -Potentially easier to block -Attacker has no synchronization or management problems Distributed DoS -More resources available -Difficult to block -Attackers have a synchronization and management problem -Bot-Net Command and Control centers -Opt in networks (Thrall-Net)

12 Akamai Confidential©2012 Akamai Faster Forward TM Attack Tools Common opt-in attack tools LOIC – Low Orbit Ion Cannon HOIC – High Orbit Ion Cannon Slow attack tool Slow Loris RUDY – R U Dead Yet

13 Akamai Confidential©2012 Akamai Faster Forward TM LOIC -Java versions that can be browsed to, no need to install software. -IRC interface for coordination -Easy interface -Multithreaded -One type of request per session -Not very configurable -Easy to detect

14 Akamai Confidential©2012 Akamai Faster Forward TM HOIC -Easy to use interface -Booster packs to randomise various HTTP headers and target URLs -Multi-threaded -Rate throttling

15 Akamai Confidential©2012 Akamai Faster Forward TM HOIC booster pack Dim useragents() as String Dim referers() as String dim randheaders() as string Dim randURLs() as string # // populate rotating urls # // By Nathos, don't use to many threads or you may nuke yourself. # // IF YOU WANT TO IMPROVE THE ATTACK, ADD URLS BELONGING TO THIS DOMAIN OR RELATED SUBDOMAINS!!! PRO-TIP: You should create anew target and.HOIC file if u want to attack a different organization # randURLs.Append "http://www.formula1.com/default.html" # randURLs.Append "http://www.formula1.com/news/" # randURLs.Append "http://www.formula1.com/races/" # randURLs.Append "http://www.formula1.com/results/" # randURLs.Append "http://www.formula1.com/gallery/" # randURLs.Append "http://www.formula1.com/teams_and_drivers/" # randURLs.Append "http://www.formula1.com/inside_f1/" # randURLs.Append "http://www.formula1.com/live_timing/" # randURLs.Append http://www.formula1.com/video/http://www.formula1.com/video/ // rotate out url # URL = randURLs(RndNumber(0, randURLs.UBound)) # // EDIT THE FOLLOWING STRINGS TO MAKE YOUR OWN BOOST UNIQUE AND THEREFORE MORE EVASIVE! # useragents.Append "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6" # useragents.Append "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)" # useragents.Append "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1;.NET CLR 1.1.4322;.NET CLR 2.0.50727;.NET CLR 3.0.04506.30)" # useragents.Append "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;.NET CLR 1.1.4322)” Booster pack features: randURLs.Append – Attack random URLs useragents.Append – Randomly selected User- Agents referers.Append – Randomly selected Referer headers randheaders.Append – Randomly select header to append -Makes it harder to separate attack traffic from legitimate traffic. -Can be easily distributed since it is just an text file. Usually posted on http://pastebin.com -Can be customised for a particular target

16 Akamai Confidential©2012 Akamai Faster Forward TM Slow Attacks Tie up web server resources by sending requests very slowly Examples: -Slow Loris -R U Dead Yet (RUDY) Trickle feed of characters to the web server ensures that a connection is occupied for as long as possible. Is this an attack or just a client on dial-up? Apache web server has a default of 256 concurrent connections.

17 Akamai Confidential©2012 Akamai Faster Forward TM Hardening against DoS – tactic 1 Avoid resource intensive processing Optimize processing and data retrieval processes. Caching processing and data retrieval operations. -Cache the results of resource intensive processing. DB -> Disk -> Memory. -Use reverse web caches

18 Akamai Confidential©2012 Akamai Faster Forward TM Hardening against DoS – tactic 2 If you are going to work hard to generate the response, make sure the client works hard to generate the request! Protect resource intensive operations behind authentication User and User Agent validation: Challenge-response tests to prove it’s a human or browser: -CAPTCHA to prove you are dealing with a human -Javascript or Flash challenges to prove that you are dealing with a browser. Session management -Issue and rotate session management cookies URL tokens The list goes on, but how appropriate are the mechanisms?

19 Akamai Confidential©2012 Akamai Faster Forward TM Additional Mitigation (is hardening enough) Mitigation devices such as scrubbers or WAF devices How do we separate the good from the bad? -Signatures -Rate limiting -Anomaly detection Where does the mitigation go? -At the origin -In the cloud Which layer should be inspected to sort the good from the bad? -Transport (socket) and Network layer -Application layer – What about SSL?

20 Akamai Confidential©2012 Akamai Faster Forward TM Questions?

Download ppt "Akamai Confidential Web targeted DDoS attack: trends, tools and tactics Christiaan Ehlers, Senior Service Consultant – Akamai Technologies."

Similar presentations

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)
Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
The OWASP Foundation Web Application Security Host Apps Firewall Host Apps Database Host Web serverApp serverDB server Securing the.

The OWASP Foundation Web Application Security Host Apps Firewall Host Apps Database Host Web serverApp serverDB server Securing the.
Chapter 17: WEB COMPONENTS

Chapter 17: WEB COMPONENTS
Copyright © 2012 Certification Partners, LLC -- All Rights Reserved Lesson 4: Web Browsing.

Copyright © 2012 Certification Partners, LLC -- All Rights Reserved Lesson 4: Web Browsing.
Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.

Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 7 “Denial-of-Service-Attacks”.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 7 “Denial-of-Service-Attacks”.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Akamai Confidential©2011 Akamai. In the Cloud Security Highlighting the Need for Defense-in-Depth R. H. Powell IV Director, Government Solutions CISSP.

Akamai Confidential©2011 Akamai. In the Cloud Security Highlighting the Need for Defense-in-Depth R. H. Powell IV Director, Government Solutions CISSP.
Barracuda Web Application Firewall

Barracuda Web Application Firewall
Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.
Distributed Denial of Service Attacks CMPT 471 1 Distributed Denial of Service Attacks Darius Law.

Distributed Denial of Service Attacks CMPT Distributed Denial of Service Attacks Darius Law.
WEB SECURITY. WEB ATTACK TYPES Buffer OverflowsXML InjectionsSession Hijacking Attacks WEB Attack Types.

WEB SECURITY. WEB ATTACK TYPES Buffer OverflowsXML InjectionsSession Hijacking Attacks WEB Attack Types.
Network & Computer Attacks (Part 2) February 11, 2010 MIS 4600 – MBA 5880 - © Abdou Illia.

Network & Computer Attacks (Part 2) February 11, 2010 MIS 4600 – MBA © Abdou Illia.
1 CCNA 2 v3.1 Module 10. 2 Intermediate TCP/IP CCNA 2 Module 10.

1 CCNA 2 v3.1 Module Intermediate TCP/IP CCNA 2 Module 10.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Web server security Dr Jim Briggs WEBP security1.

Web server security Dr Jim Briggs WEBP security1.
Kill-Bots: Surviving DDoS Attacks That Mimic Legitimate Browsing Srikanth Kandula Dina Katabi, Matthias Jacob, and Arthur Berger.

Kill-Bots: Surviving DDoS Attacks That Mimic Legitimate Browsing Srikanth Kandula Dina Katabi, Matthias Jacob, and Arthur Berger.
Lecture 15 Denial of Service Attacks

Lecture 15 Denial of Service Attacks
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

Similar presentations

Ads by Google